New virus spreads by attacking Borland compiler

An imaginative new virus that infects programs as they are being compiled has claimed its first scalps, infecting software sent out on a cover CD by a major German computer magazine and even other malware programs.

By
John E Dunn
| Aug 21, 2009

Share

TwitterFacebookLinkedInGoogle Plus

An imaginative new virus that infects programs as they are being compiled has claimed its first scalps, infecting software sent out on a cover CD by a major German computer magazine and even other malware programs.

The 18/2009 edition of Computer Bild reportedly distributed the Win32.Induc virus inside an obscure browser aids called TidyFavorites 4.1 to its four million readership. The software is also believed to have infected a second program, Any TV Free 2.41, and Sophos reports with some irony of having discovered it inside several unnamed bank-hacking Trojans.

How it got into the programs is the interesting part of the story. According to a range of security companies that have been warning of the virus in the last week, Win32.Induc targets the Pascal-based Borland Delphi development tool, inserting its executable into any software compiled by the program.

Anyone running an application infected with the parasitic malware will become a new host for its further spread, assuming they too use the Delphi compiler, which makes it perhaps the first virus to successfully attack only one type of professional user.

Fortunately, the virus doesn't do anything, but could still cause a certain amount of havoc if apparently legitimate programs are quarantined by unhappy anti-virus software, experts have said.

"This is a real challenge for anti-virus vendors and those on the receiving end. When AV scanners start identifying applications as infected with Win32.Induc, it's an open question whether or not the scanners can clean them," said Michael St. Neitzel, VP of threat Research and technologies at security vendor, Sunbelt Software.

Related

"If they can't, the original developers are going to be required to get the infection out of their Delphi compilers, recompile the applications and get the clean code back to their customers. Given there could be different versions of the infected applications in circulation, this is going to be a real nightmare for some companies to deal with," he said.

As novel as the virus sounds, according to Graham Cluley of Sophos, the outline of the technique has been tried at least once before, albeit with far less success. Three years ago, the company discovered a virus, dubbed Win32.Gattman, which attacked the Interactive Disassembler Pro (IDA) analysis tool used by malware researchers, probably as a grudge act against the anti-malware community.